Discussion in 'other anti-malware software' started by NoHolyGrail, Dec 24, 2014.
VoodooShield does look ideal. I'm going to give this a try.
I was actually wondering about that; what is the distinction between HIPS and AE? Is AE a subset of HIPS? Do all HIPS include AE functionality? I'd been using OA primarily for its AE feature.
AE can be said as subset of HIPS though some AE have additional function which may not be in HIPS. HIPS can restrict progrmas even after you allow its execution in various ways, such as forbidding global hook, manipulating other process, or any other potential dangerous activity. I don't know all HIPS can be used as AE, but most can.
Enable Advanced Mode (paid only), disable automatic features (see this) if you don't want it to allow programs that is not known bad, then configure each browser, pdf reader, office programs, plugin processes, or if you have, ftp client software or all other potentially exploitable software (right click each exe in Programs tab) and change "start applications" permission to "ask". You'll be notified when they attempt to spawn new process, so if it is legitimate one then allow only it. You'll be also prompted when unwhitelisted program try to run on your system.
Some caveats: You can't remove all automatic decision by OA as long as browser or other programs are set to be trusted program. However, untrust those can cause issue and I don't recommend it. Even in trusted condition, OA still asks some activity if you set that permission to "ask", IIRC maybe "start applications", "set global hooks", and "enumerate files"...not sure as currently I don't have OA installed.
AE are most of the time more easy to use, since they are specialized in white-listing. Not all HIPS offer AE, but if they do, the white-listing part is a bit less easy to manage, but they are often more strict when monitoring parent-child processes. This can be good for security but is sometimes also annoying. My experience is based on EXE Radar and System Safety Monitor.
What I did when I ran OA, is based on the Appguard assumption that malware downloads to a user area, not the system areas, I exclude Windows Program Files and Program files x86. Then OA only alerted me to something new. Effect was whitelisting.
With all of the discussion about controlling what malware does when it gets onto a system, we tend to forget about controlling the entry points that allow the malware in the first place.
Here are four vulnerable entry points:
firewall (eg: Conficker.A via port 445)
When you think about it, proper configuration of the above and correct decisions (eg: regarding email attachments) would take care of a lot!
Whether or not people do this is beside the point: protective methods are available.
Even the so-called fileless malware so far have used the same entry points:
a browser plug-in vulnerability
a specific IE vulnerability
email attachment trickery (MS Office Document)
When you think about it, is there any difference whether a piece of malware writes to memory, or writes to disk? Malware has to gain access through an entry point.
Although I have an AE installed, in the almost ten years I've used it, it has never alerted to anything (except when I've intentionally gone to a booby-trapped web site to test a remote controlled execution exploit.)
While such protection (and the newer anti-exploit software) are a nice addition to one's security, more consideration of protecting the entry points would help reduce the number of infections more than anything.
Rich makes a lot of valid points there. I didn't want to quote the whole thing and take up unnecessary space. But yes, we definitely have to take a look at all of the different avenues for attack vectors to occur in the first place. I'm sure the majority of us here at Wilders have most of that covered, but sadly the greater majority of everyday casual users are often far behind on security updates (if not turned off completely) nor have the proper knowledge (or desire) to make the appropriate decisions. It's no wonder there's so many botnets and such. I wish that there was an easier way to reach out to that greater majority of casual users, but I suppose it doesn't help if people don't want to listen or take the time to learn on their own.
Let's take the recent Angler Exploit Kit fileless exploit as an example:
Digging deep into Angler Fileless Exploit delivery
October 1, 2014
The CVE is from last year, and Microsoft issued a patch in May, 2013:
MS13-037 Cumulative Security Update for Internet Explorer ( 2829530 )
May 14, 2013
At that time, no exploits in the wild had been reported.
I used to advocate that each Wilders member take someone under her/his wing, so to speak, and teach basic computer security. Every little bit would help.
I have my person, and it is someone willing to learn and adapt. They have not been infected since we started. Initially it was SBIE, but now that they need to occasionally operate in a coffee shop, with business data, we went full armor on. it is working.
I agree with Rich, focus on threat gates (for me browser, email and media player) and autoruns plus limit access to shell/script has done the trick for the last 5 years.
APS from Hauri.
It can be considered an anti-executable though its also an anti-exploit as well.
Separate names with a comma.